Defra Logo Defra Logo

Defra AI in the Tool Guidance

Guidance on the use of artificial intelligence (AI) tools within the Department for Environment, Food & Rural Affairs (Defra), covering best practices, security considerations, and implementation guidelines.

Claude - Summary

Approval status: Under review - this tool is not currently approved for use. We are reviewing it for potential approval, but cannot commit to if or when this might happen.

This summary covers the key points from the detailed guide. Use it to understand how Claude can work in government environments.

What you need to know

Claude is an AI chat assistant created by Anthropic. It helps users write documents, analyse content, and answer questions. You access it through a web browser or mobile app.

What Claude does

  • Answers questions and explains topics
  • Writes and edits documents
  • Summarises and analyses content
  • Helps with coding and technical tasks
  • Analyses uploaded files
  • Integrates with other platforms

Choose the right plan

  • Free: Basic access with usage limits
  • Pro: Individual subscription with higher limits
  • Team: For small groups with collaboration features
  • Enterprise: For organisations with advanced security and controls

For government use: Choose Team or Enterprise for better security controls.

Control your privacy

Your data stays private

Default protections:

  • All chats are private to you
  • Delete conversations anytime
  • Export your data when needed
  • Share specific chats only if you choose

Important: Anthropic does not use your normal conversations to train their AI models.

What gets used:

  • Feedback you provide (thumbs up/down)
  • Chats that break usage rules (for safety only)
  • Data you explicitly agree to share

What never gets used:

  • Your regular conversations
  • Files you upload
  • Personal information

Enterprise controls

Additional protections for organisations:

  • Custom data retention periods
  • Single sign-on integration
  • Audit logging for compliance
  • Administrator controls over user access

Understand where your data goes

Data location

Default: United States data centres

Important: Your chat data will be processed and stored in the US unless you negotiate special arrangements.

For UK government: Assume data will be under US jurisdiction unless arranged otherwise.

Data protection measures

Data in transit: All communications use HTTPS/TLS encryption (bank-level security)

Data at rest:

  • All stored data is encrypted on servers
  • Access strictly controlled
  • Staff cannot read your chats without permission
  • All access is logged and monitored

How long data is kept

Your control:

  • Keep chats as long as you want
  • Delete anytime (removed within 30 days)
  • Export before deletion if needed

Automatic retention:

  • Policy violations: Up to 2 years
  • Safety monitoring: Up to 7 years
  • Feedback data: Up to 10 years (anonymised)

Enterprise options:

  • Set minimum retention periods (30 days minimum)
  • Automatic deletion of old content

Track usage and access

Audit logging

Available for: Enterprise customers only

What gets logged:

  • User sign-ins and access
  • Role changes and permissions
  • Chat and project activity
  • Administrative actions

What is not logged:

  • Actual chat content
  • Message details

Export audit logs

For administrators:

  1. Use Enterprise admin console
  2. Export last 180 days of activity
  3. Get CSV or JSON files with timestamps

Control user access

Account roles

  • User: Can create chats and projects
  • Admin: Can invite and remove team members
  • Owner: Can manage billing and settings
  • Primary Owner: Full organisational control

Authentication options

Standard login: Email-based verification (no passwords stored)

Enterprise login:

  • Single Sign-On (SSO) with your identity provider
  • Works with Okta, Google Workspace, etc.
  • Enforces your organisation’s login policies
  • Automatic user provisioning

Check compliance requirements

Security certifications

Claude has achieved:

  • ISO 27001:2022 - Information security management
  • SOC 2 Type I and II - Operational security controls
  • ISO 42001:2023 - AI management systems
  • FedRAMP High - US government cloud security
  • DoD Impact Level 4/5 - US defence security standards

Healthcare and data protection

  • HIPAA-compliant configuration available
  • GDPR and UK GDPR compliant
  • Business Associate Agreements supported
  • Data Processing Addendum for commercial customers

Government considerations

Strengths:

  • Strong international security certifications
  • No use of data for AI training by default
  • User control over data deletion
  • Enterprise security controls available

Consider these factors:

  • Data processed in United States by default
  • No UK-specific government certifications
  • May need Data Protection Impact Assessment
  • Custom arrangements required for UK data residency

Support links

All content is available under the Open Government Licence v3.0, except where otherwise stated